Lesi sihloko simayelana nendlela yokusetha iseva yemeyili yesimanje.
I-Postfix + Dovecot. SPF + DKIM + rDNS. Nge-IPv6.
Ngokubethela kwe-TSL. Ngokusekelwa izizinda eziningi - ingxenye ngesitifiketi sangempela se-SSL.
Ngokuvikelwa kwe-antispam kanye nesilinganiso esiphakeme sokulwa nogaxekile esivela kwamanye amaseva e-imeyili.
Isekela ukuxhumana ngokomzimba okuningi.
Nge-OpenVPN, ukuxhumana okukhona nge-IPv4, futhi okuhlinzeka nge-IPv6.
Uma ungafuni ukufunda bonke lobu buchwepheshe, kodwa ufuna ukumisa iseva enjalo, khona-ke lesi sihloko singezakho.
I-athikili ayenzi mzamo wokuchaza yonke imininingwane. Incazelo iya kulokho okungalungiselelwe njengokujwayelekile noma okubalulekile ngokombono womthengi.
Ukugqugquzela ukusetha iseva yemeyili kube yiphupho lami lesikhathi eside. Lokhu kungase kuzwakale kuwubuwula, kodwa i-IMHO, ingcono kakhulu kunokuphupha imoto entsha yomkhiqizo wakho owuthandayo.
Kunezisusa ezimbili zokusetha i-IPv6. Uchwepheshe we-IT udinga ukufunda ubuchwepheshe obusha njalo ukuze aphile. Ngingathanda ukufaka isandla sami ekulweni nokuhlolwa.
Isisusa sokusetha i-OpenVPN siwukuthola nje ukuthi i-IPv6 isebenze emshinini wendawo.
Isisusa sokusetha izixhumanisi ezibonakalayo ezimbalwa ukuthi kuseva yami ngine-interface eyodwa "ehamba kancane kodwa engenamkhawulo" nenye "esheshayo kodwa ene-tariff".
Isisusa sokusetha izilungiselelo ze-Bind ukuthi i-ISP yami inikeza iseva ye-DNS engazinzile, futhi i-google nayo ngezinye izikhathi iyehluleka. Ngifuna iseva ye-DNS ezinzile ukuze ngiyisebenzisele umuntu siqu.
Ugqozi lokubhala i-athikili - Ngabhala okusalungiswa ezinyangeni eziyi-10 ezedlule, futhi sengiyibuke kabili. Ngisho noma umbhali eyidinga njalo, maningi amathuba okuthi nabanye bazoyidinga.
Asikho isixazululo sasemhlabeni wonke seseva yemeyili. Kodwa ngizozama ukubhala into efana nokuthi "yenza lokhu bese kuthi, lapho yonke into isebenza njengoba kufanele, ulahle izinto ezengeziwe."
I-tech.ru yenkampani ineseva ye-Colocation. Kungenzeka ukuqhathanisa ne-OVH, i-Hetzner, i-AWS. Ukuxazulula le nkinga, ukusebenzisana ne-tech.ru kuzosebenza kakhulu.
I-Debian 9 ifakiwe kuseva.
Iseva inokuxhumana okungu-2 `eno1` kanye `ne-eno2`. Eyokuqala ayinamkhawulo, kanti eyesibili iyashesha, ngokulandelana.
Kunamakheli angu-3 amile we-IP, XX.XX.XX.X0 kanye no-XX.XX.XX.X1 kanye no-XX.XX.XX.X2 kusixhumi esibonakalayo ``eno1` kanye no-XX.XX.XX.X5 kusixhumi esibonakalayo `eno2` .
Iyatholakala XXXX:XXXX:XXXX:XXXX::/64 iqoqo lamakheli e-IPv6 abelwe kusixhumi esibonakalayo ``eno1` futhi ukusuka kuyo XXXX:XXXX:XXXX:XXXX:1:2::/96 yabelwa `eno2` ngesicelo sami.
Kunezizinda ezi-3 `domain1.com`, `domain2.com`, `domain3.com`. Kunesitifiketi se-SSL sokuthi `domain1.com` kanye `nesizinda3.com`.
Ngine-akhawunti ye-Google engingathanda ukuxhuma kuyo ibhokisi lami lemeyili[i-imeyili ivikelwe]` (ukuthola i-imeyili nokuthumela imeyili ngokuqondile kusuka kusixhumi esibonakalayo se-gmail).
Kufanele kube nebhokisi lemeyili`[i-imeyili ivikelwe]`, ikhophi ye-imeyili engifuna ukuyibona ku-gmail yami. Futhi akuvamile ukuthi ukwazi ukuthumela okuthile esikhundleni sika `[i-imeyili ivikelwe]`ngesixhumi esibonakalayo sewebhu.
Kufanele kube nebhokisi lemeyili`[i-imeyili ivikelwe]`, u-Ivanov azosebenzisa ku-iPhone yakhe.
Ama-imeyili athunyelwe kufanele athobele zonke izimfuneko zesimanje zokulwa nogaxekile.
Kufanele kube nezinga eliphezulu kakhulu lokubethela elinikezwe kumanethiwekhi omphakathi.
Kufanele kube nokusekela kwe-IPv6 kukho kokubili ukuthumela nokwamukela izincwadi.
Kufanele kube ne-SpamAssassin engasoze yasusa ama-imeyili. Futhi izogxuma noma yeqe noma ithumele kufolda "Yogaxekile" ye-IMAP.
Ukufunda okuzenzakalelayo kwe-SpamAssassin kufanele kulungiselelwe: uma ngihambisa incwadi kufolda Yogaxekile, izofunda kulokhu; uma ngihambisa incwadi kufolda Yogaxekile, izofunda kulokhu. Imiphumela yokuqeqeshwa kwe-SpamAssassin kufanele ibe nomthelela ekutheni uhlamvu luphela yini kufolda Yogaxekile.
Imibhalo ye-PHP kufanele ikwazi ukuthumela i-imeyili egameni lanoma yisiphi isizinda kuseva enikeziwe.
Kufanele kube nesevisi ye-openvpn, enekhono lokusebenzisa i-IPv6 kuklayenti elingenayo i-IPv6.
Okokuqala udinga ukumisa izixhumi ezibonakalayo kanye nemizila, okuhlanganisa i-IPv6.
Ngemuva kwalokho uzodinga ukumisa i-OpenVPN, ezoxhuma nge-IPv4 futhi inikeze iklayenti ikheli le-IPv6 elimile. Leli klayenti lizokwazi ukufinyelela zonke izinsiza ze-IPv6 kuseva kanye nokufinyelela kunoma yiziphi izinsiza ze-IPv6 ku-inthanethi.
Khona-ke uzodinga ukulungisa i-Postfix ukuze uthumele izinhlamvu + SPF + DKIM + rDNS nezinye izinto ezincane ezifanayo.
Khona-ke uzodinga ukumisa i-Dovecot futhi ulungiselele i-Multidomain.
Khona-ke uzodinga ukumisa i-SpamAssassin futhi ulungiselele ukuqeqeshwa.
Ekugcineni, faka i-Bind.
============= Izixhumanisi eziningi ==============
Ukuze ulungiselele ukuxhumana, udinga ukubhala lokhu kokuthi "/etc/network/interfaces".
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address XX.XX.XX.X0/24
gateway XX.XX.XX.1
dns-nameservers 127.0.0.1 213.248.1.6
post-up ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1t
post-up ip route add default via XX.XX.XX.1 table eno1t
post-up ip rule add table eno1t from XX.XX.XX.X0
post-up ip rule add table eno1t to XX.XX.XX.X0
auto eno1:1
iface eno1:1 inet static
address XX.XX.XX.X1
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X1
post-up ip rule add table eno1t to XX.XX.XX.X1
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:1:1:2/64 dev $IFACE
# The secondary network interface
allow-hotplug eno2
iface eno2 inet static
address XX.XX.XX.X5
netmask 255.255.255.0
post-up ip route add XX.XX.XX.0/24 dev eno2 src XX.XX.XX.X5 table eno2t
post-up ip route add default via XX.XX.XX.1 table eno2t
post-up ip rule add table eno2t from XX.XX.XX.X5
post-up ip rule add table eno2t to XX.XX.XX.X5
post-up ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
post-down ip route del 10.8.0.0/24 dev tun0 src XX.XX.XX.X5 table eno2t
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
up ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:1/64 dev $IFACE
down ip -6 addr del XXXX:XXXX:XXXX:XXXX:1:2:1:2/64 dev $IFACE
# OpenVPN network
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Lezi zilungiselelo zingasetshenziswa kunoma iyiphi iseva ku-tech.ru (ngokuxhumana okuncane nokusekelwa) futhi izosebenza ngokushesha njengoba kufanele.
Uma unolwazi lokusetha izinto ezifanayo ze-Hetzner, OVH, kuhlukile lapho. Kunzima kakhulu.
I-eno1 igama lekhadi lenethiwekhi #1 (elihamba kancane kodwa alinamkhawulo).
I-eno2 igama lekhadi lenethiwekhi #2 (elisheshayo, kodwa elinenani lentengo).
i-tun0 yigama lekhadi lenethiwekhi elibonakalayo elivela ku-OpenVPN.
XX.XX.XX.X0 - IPv4 #1 ku-eno1.
XX.XX.XX.X1 - IPv4 #2 ku-eno1.
XX.XX.XX.X2 - IPv4 #3 ku-eno1.
XX.XX.XX.X5 - IPv4 #1 ku-eno2.
XX.XX.XX.1 - IPv4 isango.
XXXX:XXXX:XXXX:XXXX::/64 - IPv6 yayo yonke iseva.
XXXX:XXXX:XXXX:XXXX:1:2::/96 - IPv6 ye-eno2, yonke enye into esuka ngaphandle iya ku-eno1.
XXXX:XXXX:XXXX:XXXX::1 — IPv6 isango (kufanele kuqashelwe ukuthi lokhu kungenziwa/kufanele kwenziwe ngendlela ehlukile. Cacisa iswishi ye-IPv6).
dns-nameservers - 127.0.0.1 ibonisiwe (ngoba i-bind ifakwe endaweni) kanye ne-213.248.1.6 (lokhu kuvela ku-tech.ru).
“ithebula eno1t” kanye “nethebula eno2t” - incazelo yale mithetho yomzila ukuthi ithrafikhi engena nge-eno1 -> izophuma ngayo, kanye nethrafikhi engena nge-eno2 -> izophuma ngayo. Futhi ukuxhumana okuqalwe yiseva kuzodlula ku-eno1.
ip route add default via XX.XX.XX.1 table eno1tNgalo myalo sicacisa ukuthi noma iyiphi ithrafikhi engaqondakali ewela ngaphansi kwanoma yimuphi umthetho obhalwe ukuthi “table eno1t” -> ithunyelwe kusixhumi esibonakalayo se-eno1.
ip route add XX.XX.XX.0/24 dev eno1 src XX.XX.XX.X0 table eno1tNgalo myalo sicacisa ukuthi noma iyiphi ithrafikhi eqalwa iseva kufanele iqondiswe kusixhumi esibonakalayo se-eno1.
ip rule add table eno1t from XX.XX.XX.X0
ip rule add table eno1t to XX.XX.XX.X0Ngalo myalo sibeka imithetho yokumaka ithrafikhi.
auto eno1:2
iface eno1:2 inet static
address XX.XX.XX.X2
netmask 255.255.255.0
post-up ip rule add table eno1t from XX.XX.XX.X2
post-up ip rule add table eno1t to XX.XX.XX.X2Leli bhulokhi licacisa i-IPv4 yesibili yesixhumi esibonakalayo se-eno1.
ip route add 10.8.0.0/24 dev tun0 src XX.XX.XX.X1 table eno1t
Ngalo myalo sibeka umzila osuka kumakhasimende e-OpenVPN uya ku-IPv4 yasendaweni ngaphandle kwe-XX.XX.XX.X0.
Angikaqondi ukuthi kungani lo myalo wanele yonke i-IPv4.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
gateway XXXX:XXXX:XXXX:XXXX::1Yilapho sibeka khona ikheli lesixhumi esibonakalayo ngokwaso. Iseva izoyisebenzisa njengekheli "eliphumayo". Ngeke iphinde isetshenziswe nganoma iyiphi indlela.
Kungani i-":1:1::" iyinkimbinkimbi kangaka? Ukuze i-OpenVPN isebenze kahle futhi kuphela kulokhu. Okuningi ngalokhu kamuva.
Esihlokweni sesango - yindlela esebenza ngayo futhi lokho kulungile. Kodwa indlela elungile ukukhombisa lapha i-IPv6 yeswishi lapho iseva ixhumeke khona.
Nokho, ngesizathu esithile i-IPv6 iyayeka ukusebenza uma ngenza lokhu. Lokhu mhlawumbe uhlobo oluthile lwenkinga ye-tech.ru.
ip -6 addr add XXXX:XXXX:XXXX:XXXX:1:1:1:1/64 dev $IFACELokhu kwengeza ikheli le-IPv6 kusixhumi esibonakalayo. Uma udinga amakheli ayikhulu, lokho kusho imigqa eyikhulu kuleli fayela.
iface eno1 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:1::/64
...
iface eno2 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:2::/96
...
iface tun0 inet6 static
address XXXX:XXXX:XXXX:XXXX:1:3::/80Ngiphawule amakheli nama-subnet azo zonke izixhumanisi ukuze ngikwenze kucace.
eno1 - kumele kube "/64"- ngoba leli iqoqo lethu lamakheli.
tun0 - i-subnet kumelwe ibe nkulu kune-eno1. Uma kungenjalo, ngeke kwenzeke ukumisa isango le-IPv6 lamaklayenti e-OpenVPN.
I-eno2 - i-subnet kumelwe ibe nkulu kuno-tun0. Uma kungenjalo, amaklayenti e-OpenVPN ngeke akwazi ukufinyelela amakheli endawo e-IPv6.
Ukuze kucace, ngikhethe isinyathelo se-subnet sika-16, kodwa uma ufisa, ungenza ngisho nesinyathelo "1".
Ngokuvumelana nalokho, 64+16 = 80, futhi 80+16 = 96.Ukuze uthole ukucaca okukhulu nakakhulu:
XXXX:XXXX:XXXX:XXXX:1:1:YYYY:YYYY amakheli okufanele anikezwe amasayithi athile noma amasevisi kusixhumi esibonakalayo se-eno1.
XXXX:XXXX:XXXX:XXXX:1:2:YYYY:YYYY amakheli okufanele anikezwe amasayithi athile noma amasevisi kusixhumi esibonakalayo se-eno2.
XXXX:XXXX:XXXX:XXXX:1:3:YYYY:YYYY amakheli okufanele anikezwe amaklayenti e-OpenVPN noma asetshenziswe njengamakheli esevisi ye-OpenVPN.
Ukuze ulungiselele inethiwekhi, kufanele kwenzeke ukuqalisa kabusha iseva.
Izinguquko ze-IPv4 ziyathathwa lapho zenziwa (qiniseka ukuthi uzigoqa ngesikrini - ngaphandle kwalokho lo myalo uzomane uphahlaze inethiwekhi kuseva):
/etc/init.d/networking restartEngeza ekugcineni kwefayela “/etc/iproute2/rt_tables”:
100 eno1t
101 eno2t
Ngaphandle kwalokhu, awukwazi ukusebenzisa amathebula ngokwezifiso kufayela elithi "/etc/network/interfaces".
Izinombolo kufanele zihluke futhi zibe ngaphansi kuka-65535.
Izinguquko ze-IPv6 zingashintshwa kalula ngaphandle kokuqalisa kabusha, kodwa ukuze wenze lokhu udinga ukufunda okungenani imiyalo emithathu:
ip -6 addr ...
ip -6 route ...
ip -6 neigh ...Ukusetha "/etc/sysctl.conf"
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# For receiving ARP replies
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
# For sending ARP
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.default.arp_announce = 0
# Enable IPv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0
# For OpenVPN
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
# For nginx on boot
net.ipv6.ip_nonlocal_bind = 1Lezi izilungiselelo zeseva yami "sysctl". Ake ngiveze okuthile okubalulekile.
net.ipv4.ip_forward = 1Ngaphandle kwalokhu, i-OpenVPN ngeke isebenze nhlobo.
net.ipv6.ip_nonlocal_bind = 1Noma ubani ozama ukuhlanganisa i-IPv6 (isibonelo nginx) ngokushesha ngemva kokuthi isixhumi esibonakalayo siphezulu uzothola iphutha. Ukuthi leli kheli alitholakali.
Ukuze ugweme isimo esinjalo, ukulungiselelwa okunjalo kwenziwa.
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1Ngaphandle kwalezi zilungiselelo ze-IPv6, ithrafikhi evela kuklayenti le-OpenVPN ayiphumi emhlabeni.
Ezinye izilungiselelo azibalulekile noma angikhumbuli ukuthi zenzelweni.
Kodwa uma kwenzeka, ngiyishiya “njengoba injalo.”
Ukuze izinguquko kuleli fayela zithathwe ngaphandle kokuqalisa kabusha iseva, udinga ukusebenzisa umyalo:
sysctl -pImininingwane eyengeziwe mayelana nemithetho "yethebula":
============= OpenVPN ==============
I-OpenVPN IPv4 ayisebenzi ngaphandle kwama-iptables.
Ama-iptable ami anjena e-VPN:
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
##iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROP
I-YY.YY.YY.YY ikheli lami le-IPv4 elimile lomshini wendawo.
10.8.0.0/24 - IPv4 openvpn network. Amakheli e-IPv4 amaklayenti e-openvpn.
Ukuvumelana kwemithetho kubalulekile.
iptables -A INPUT -p udp -s YY.YY.YY.YY --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno1 -j ACCEPT
...
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A FORWARD -p udp --dport 1194 -j DROPLokhu kuwumkhawulo ukuze kube yimi kuphela engikwazi ukusebenzisa i-OpenVPN ku-IP yami emile.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source XX.XX.XX.X0
-- или --
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno1 -j MASQUERADEUkudlulisa amaphakethe e-IPv4 phakathi kwamaklayenti e-OpenVPN ne-inthanethi, udinga ukubhalisa owodwa wale miyalo.
Ezimweni ezihlukene, enye yezinketho ayifanele.
Endabeni yami, yomibili imiyalo ifanelekile.
Ngemva kokufunda imibhalo, ngikhethe inketho yokuqala ngoba isebenzisa i-CPU encane.
Ukuze zonke izilungiselelo ze-iptables zithathwe ngemuva kokuqalisa kabusha, udinga ukuzigcina ndawana thize.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6Amagama anjalo awakhethwanga ngenhlanhla. Asetshenziswa yiphakheji ye-"iptables-persistent".
apt-get install iptables-persistentUkufaka iphakheji eyinhloko ye-OpenVPN:
apt-get install openvpn easy-rsaMasimise isifanekiso sezitifiketi (shintsha amanani akho):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
ln -s openssl-1.0.0.cnf openssl.cnfMasihlele izilungiselelo zesifanekiso sesitifiketi:
mcedit vars...
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="RU"
export KEY_PROVINCE="Krasnodar"
export KEY_CITY="Dinskaya"
export KEY_ORG="Own"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
# X509 Subject Field
export KEY_NAME="server"
...Dala isitifiketi seseva:
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.keyAke silungiselele ikhono lokudala amafayela wokugcina we-“client-name.opvn”:
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
mcedit ~/client-configs/base.conf# Client mode
client
# Interface tunnel type
dev tun
# TCP protocol
proto tcp-client
# Address/Port of VPN server
remote XX.XX.XX.X0 1194
# Don't bind to local port/address
nobind
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Remote peer must have a signed certificate
remote-cert-tls server
ns-cert-type server
# Enable compression
comp-lzo
# Custom
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBCAke silungiselele iskripthi esizohlanganisa wonke amafayela abe yifayela elilodwa le-opvn.
mcedit ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG}
<(echo -e '<ca>')
${KEY_DIR}/ca.crt
<(echo -e '</ca>n<cert>')
${KEY_DIR}/.crt
<(echo -e '</cert>n<key>')
${KEY_DIR}/.key
<(echo -e '</key>n<tls-auth>')
${KEY_DIR}/ta.key
<(echo -e '</tls-auth>')
> ${OUTPUT_DIR}/.ovpnUkudala iklayenti lokuqala le-OpenVPN:
cd ~/openvpn-ca
source vars
./build-key client-name
cd ~/client-configs
./make_config.sh client-nameIfayela elithi “~/client-configs/files/client-name.ovpn” lithunyelwa kudivayisi yeklayenti.
Kumakhasimende e-iOS uzodinga ukwenza iqhinga elilandelayo:
Okuqukethwe komaka "tls-auth" kufanele kungabi namazwana.
Futhi beka "inkomba-ndlela yokhiye 1" ngokushesha ngaphambi kwethegi ethi "tls-auth".
Ake silungiselele ukucushwa kweseva ye-OpenVPN:
cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
mcedit /etc/openvpn/server.conf# Listen port
port 1194
# Protocol
proto tcp-server
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
# Master certificate
ca ca.crt
# Server certificate
cert server.crt
# Server private key
key server.key
# Diffie-Hellman parameters
dh dh2048.pem
# Allow clients to communicate with each other
client-to-client
# Client config dir
client-config-dir /etc/openvpn/ccd
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 XXXX:XXXX:XXXX:XXXX:1:3::/80
topology subnet
# IPv6 routes
push "route-ipv6 XXXX:XXXX:XXXX:XXXX::/64"
push "route-ipv6 2000::/3"
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
# Ping every 10s. Timeout of 120s.
keepalive 10 120
# Enable compression
comp-lzo
# User and group
user vpn
group vpn
# Log a short status
status openvpn-status.log
# Logging verbosity
##verb 4
# Custom config
tls-auth ta.key 0
cipher DES-EDE3-CBCLokhu kuyadingeka ukuze kusethwe ikheli elimile kuklayenti ngalinye (akudingekile, kodwa ngiyalisebenzisa):
# Client config dir
client-config-dir /etc/openvpn/ccdImininingwane enzima kakhulu futhi eyisihluthulelo.
Ngeshwa, i-OpenVPN ayikazi ukuthi ingamisa kanjani ngokuzimela isango le-IPv6 lamakhasimende.
Kufanele "udlulisele ngesandla" lokhu kuklayenti ngalinye.
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"Ifayela elithi “/etc/openvpn/server-clientconnect.sh”:
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
echo $ipv6
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Create proxy rule
/sbin/ip -6 neigh add proxy $ipv6 dev eno1Ifayela “/etc/openvpn/server-clientdisconnect.sh”:
#!/bin/sh
# Check client variables
if [ -z "$ifconfig_pool_remote_ip" ] || [ -z "$common_name" ]; then
echo "Missing environment variable."
exit 1
fi
# Load server variables
. /etc/openvpn/variables
ipv6=""
# Find out if there is a specific config with fixed IPv6 for this client
if [ -f "/etc/openvpn/ccd/$common_name" ]; then
# Get fixed IPv6 from client config file
ipv6=$(sed -nr 's/^.*ifconfig-ipv6-push[ t]+([0-9a-fA-F:]+).*$/1/p' "/etc/openvpn/ccd/$common_name")
fi
# Get IPv6 from IPv4
if [ -z "$ipv6" ]; then
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
echo "Invalid IPv4 part."
exit 1
fi
hexipp=$(printf '%x' $ipp)
ipv6="$prefix$hexipp"
fi
# Delete proxy rule
/sbin/ip -6 neigh del proxy $ipv6 dev eno1Zombili izikripthi zisebenzisa ifayela elithi "/etc/openvpn/variables":
# Subnet
prefix=XXXX:XXXX:XXXX:XXXX:2:
# netmask
prefixlen=112Ngikuthola kunzima ukukhumbula ukuthi kungani ibhalwe kanje.
Manje i-netmask = 112 ibukeka iyinqaba (kufanele ibe ngu-96 khona lapho).
Futhi isiqalo siyamangaza, asifani nenethiwekhi ye-tun0.
Kodwa kulungile, ngizoyishiya injalo.
cipher DES-EDE3-CBCLokhu akuwona wonke umuntu - ngikhethe le ndlela yokubethela uxhumano.
============= Ukulungisa okuthunyelwe =============
Ifaka iphakheji eyinhloko:
apt-get install postfixLapho ufaka, khetha "isizindalwazi se-inthanethi".
I-"/etc/postfix/main.cf" yami ibukeka kanje:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1
smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain1.com
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
# Storage type
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#reject_invalid_hostname,
#reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unix:private/policyd-spf
smtpd_helo_restrictions =
#reject_invalid_helo_hostname,
#reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
permit
# SPF
policyd-spf_time_limit = 3600
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreAke sibheke imininingwane yalokhu kulungiselelwa.
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.keyNgokusho kwezakhamizi zaseKhabrovsk, leli bhulokhi liqukethe "imininingwane engamanga nemibono engalungile."Eminyakeni engu-8 kuphela ngemva kokuqala komsebenzi wami lapho ngaqala ukuqonda ukuthi i-SSL isebenza kanjani.
Ngakho-ke, ngizothatha inkululeko yokuchaza indlela yokusebenzisa i-SSL (ngaphandle kokuphendula imibuzo ethi "Isebenza kanjani?" futhi "Kungani isebenza?").
Isisekelo sokubethela kwesimanje ukwakhiwa kwepheya eliyisihluthulelo (izintambo ezimbili ezinde kakhulu zezinhlamvu).
Omunye "ukhiye" uyimfihlo, omunye ukhiye "usesidlangalaleni". Sigcina ukhiye oyimfihlo uyimfihlo ngokucophelela. Sisabalalisa ukhiye osesidlangalaleni kuwo wonke umuntu.
Usebenzisa ukhiye osesidlangalaleni, ungakwazi ukubethela uchungechunge lombhalo ukuze umnikazi wokhiye oyimfihlo kuphela akwazi ukuwususa ukubethela.
Hhayi-ke, lokho kuyisisekelo sobuchwepheshe.Isinyathelo #1 - amasayithi we-https.
Lapho ufinyelela isayithi, isiphequluli sifunda kuseva yewebhu ukuthi isayithi liyi-https ngakho-ke sicela ukhiye womphakathi.
Iseva yewebhu inikeza ukhiye womphakathi. Isiphequluli sisebenzisa ukhiye osesidlangalaleni ukuze sibethele i-http-request futhi sisithumele.
Okuqukethwe kwesicelo se-http kungafundwa kuphela yilabo abanokhiye wangasese, okungukuthi, iseva kuphela lapho isicelo senziwa khona.
I-Http-request iqukethe okungenani i-URI. Ngakho-ke, uma izwe lizama ukukhawulela ukufinyelela hhayi kulo lonke isayithi, kodwa ekhasini elithile, khona-ke lokhu akunakwenzeka ukwenza kumasayithi we-https.Isinyathelo #2 - impendulo ebethelwe.
Iseva yewebhu inikeza impendulo engafundeka kalula emgwaqeni.
Isixazululo silula kakhulu - isiphequluli endaweni sikhiqiza amabhangqa okhiye ayimfihlo-omphakathi kusayithi ngalinye le-https.
Futhi kanye nesicelo sokhiye womphakathi wesayithi, ithumela ukhiye wayo womphakathi wendawo.
Iseva yewebhu iyayikhumbula futhi, lapho ithumela i-http-response, ibhala ngemfihlo ngokhiye osesidlangalaleni weklayenti elithile.
Manje i-http-response ingasuswa ukubethela kuphela ngumnikazi wokhiye oyimfihlo wesiphequluli seklayenti (okungukuthi, iklayenti ngokwalo).Isinyathelo sesi-3 - ukusungula ukuxhumana okuphephile ngesiteshi somphakathi.
Kukhona ubungozi ngokwesibonelo No. 2 - akukho lutho oluvimbela abanezifiso ezinhle ukuthi babambe i-http-sicelo kanye nokuhlela ulwazi mayelana nokhiye womphakathi.
Ngakho, umlamuli uzobona ngokucacile konke okuqukethwe kwemiyalezo ethunyelwe neyamukelwe kuze kube yilapho kushintsha isiteshi sokuxhumana.
Ukubhekana nalokhu kulula kakhulu - vele uthumele ukhiye osesidlangalaleni wesiphequluli njengomlayezo obethelwe ngokhiye womphakathi weseva yewebhu.
Iseva yewebhu ibe isithumela kuqala impendulo efana nokuthi “ukhiye wakho osesidlangalaleni unje” futhi ibethela lo mlayezo ngokhiye womphakathi ofanayo.
Isiphequluli sibheka impendulo - uma umlayezo othi "ukhiye wakho womphakathi unje" wamukelwe - lokhu kuyisiqinisekiso esingu-100% sokuthi lesi siteshi sokuxhumana sivikelekile.
Kuphephe kangakanani?
Ukudalwa kwesiteshi esinjalo sokuxhumana esivikelekile kwenzeka ngesivinini se-ping *2. Isibonelo 20ms.
Umhlaseli kumele abe nokhiye oyimfihlo weqembu elilodwa kusenesikhathi. Noma thola ukhiye oyimfihlo kuma-millisecond ambalwa.
Ukugebenga ukhiye owodwa wesimanje oyimfihlo kuzothatha amashumi eminyaka kukhompuyutha enkulu.Isinyathelo #4 - isizindalwazi somphakathi sokhiye basesidlangalaleni.
Ngokusobala, kuyo yonke le ndaba kukhona ithuba lokuthi umhlaseli ahlale esiteshini sokuxhumana phakathi kweklayenti neseva.
Iklayenti lingazenza iseva, futhi iseva ingenza sengathi iklayenti. Futhi ulingise ipheya yokhiye kuzo zombili izinkomba.
Khona-ke umhlaseli uzobona yonke ithrafikhi futhi uzokwazi "ukuhlela" ithrafikhi.
Isibonelo, shintsha ikheli lapho uzothumela khona imali noma ukopishe igama-mfihlo ebhange eliku-inthanethi noma uvimbele okuqukethwe “okuphikiswayo”.
Ukuze kuliwe nabahlaseli abanjalo, baqhamuke nesizindalwazi esisesidlangalaleni esinokhiye basesidlangalaleni kusayithi ngalinye le-https.
Isiphequluli ngasinye “siyazi” mayelana nokuba khona kwezingobolwazi ezinjalo ezingaba ngu-200. Lokhu kuza kufakwe kuqala kuso sonke isiphequluli.
"Ulwazi" lusekelwa ukhiye osesidlangalaleni ophuma kusitifiketi ngasinye. Okusho ukuthi, ukuxhumana nesiphathimandla esikhethekile ngasinye akunakwenziwa umgunyathi.Manje sekunokuqonda okulula kokuthi ungasebenzisa kanjani i-SSL ye-https.
Uma usebenzisa ubuchopho bakho, kuzocaca ukuthi izinsizakalo ezikhethekile zingangena kanjani okuthile kulesi sakhiwo. Kodwa kuzobalahlekisela imizamo emikhulu.
Futhi izinhlangano ezincane kune-NSA noma i-CIA - cishe akunakwenzeka ukugenca izinga elikhona lokuvikela, ngisho nama-VIP.Ngizongeza futhi mayelana nokuxhumana kwe-ssh. Abekho okhiye basesidlangalaleni lapho, ngakho-ke ungenzani? Udaba luxazululwa ngezindlela ezimbili.
Inketho ye-ssh-by-password:
Ngesikhathi soxhumano lokuqala, iklayenti le-ssh kufanele lixwayise ngokuthi sinokhiye omusha osesidlangalaleni ovela kuseva ye-ssh.
Futhi ngesikhathi sokuxhumana okwengeziwe, uma kuvela isexwayiso “ukhiye omusha womphakathi osuka kuseva ye-ssh”, lokho kuzosho ukuthi bazama ukukulalela.
Noma uye walalela uxhumano lwakho lokuqala, kodwa manje uxhumana neseva ngaphandle kwabaxhumanisi.
Eqinisweni, ngenxa yokuthi iqiniso le-wiretapping lembulwa kalula, ngokushesha nangokuzikhandla, lokhu kuhlasela kusetshenziselwa izimo ezikhethekile kuphela kuklayenti elithile.Inketho ssh-by-key:
Sithatha i-flash drive, sibhale ukhiye wangasese weseva ye-ssh kuyo (kunemibandela kanye nama-nuances amaningi abalulekile kulokhu, kodwa ngibhala uhlelo lwezemfundo, hhayi imiyalelo yokusetshenziswa).
Sishiya ukhiye osesidlangalaleni emshinini lapho iklayenti le-ssh lizoba khona futhi futhi sikugcina kuyimfihlo.
Siletha i-flash drive kuseva, siyifake, sikopishe ukhiye wangasese, bese sishisa i-flash drive bese sihlakaza umlotha emoyeni (noma okungenani siyifomethe ngama-zero).
Yilokho kuphela - ngemva kokuhlinzwa okunjalo ngeke kwenzeke ukugqekeza uxhumano olunjalo lwe-ssh. Vele, eminyakeni eyi-10 uzokwazi ukubuka ithrafikhi ku-supercomputer - kodwa leyo indaba ehlukile.Ngiyaxolisa nge-offtopic.
Ngakho manje njengoba ithiyori iyaziwa. Ngizokutshela mayelana nokugeleza kokwenza isitifiketi se-SSL.
Sisebenzisa i-"openssl genrsa" sidala ukhiye oyimfihlo "nezikhala" zokhiye osesidlangalaleni.
Sithumela “izikhala” enkampanini yezinkampani zangaphandle, lapho sikhokha khona cishe u-$9 ngesitifiketi esilula.
Ngemva kwamahora ambalwa, sithola ukhiye wethu "womphakathi" kanye nesethi yokhiye abambalwa basesidlangalaleni abavela kule nkampani yezinkampani zangaphandle.
Kungani inkampani yezinkampani zangaphandle kufanele ikhokhele ukubhaliswa kokhiye wami womphakathi kuwumbuzo ohlukile, ngeke sikucabangele lapha.
Manje sekucacile ukuthi incazelo yombhalo ithini:
smtpd_tls_key_file=/etc/ssl/domain1.com.2018.key
Ifolda ethi "/etc/ssl" iqukethe wonke amafayela ezindabeni ze-ssl.
domain1.com - igama lesizinda.
U-2018 unyaka wokudala okubalulekile.
"ukhiye" - igama lokuthi ifayela liwukhiye oyimfihlo.
Nencazelo yaleli fayela:
smtpd_tls_cert_file=/etc/ssl/domain1.com.2018.chained.crt
domain1.com - igama lesizinda.
U-2018 unyaka wokudala okubalulekile.
eboshwe ngamaketango - igama lokuthi kunoxhaxha lokhiye basesidlangalaleni (owokuqala ukhiye wethu osesidlangalaleni kanti bonke abanye yilabo abaphuma enkampanini ekhiphe ukhiye womphakathi).
crt - igama lokuthi kukhona isitifiketi esenziwe ngomumo (ukhiye osesidlangalaleni onezincazelo zobuchwepheshe).
smtp_bind_address = XX.XX.XX.X0
smtp_bind_address6 = XXXX:XXXX:XXXX:XXXX:1:1:1:1Lesi silungiselelo asisetshenziswa kuleli cala, kodwa sibhalwe njengesibonelo.
Ngoba iphutha kule pharamitha lizoholela ekuthunyelweni kogaxekile kusuka kuseva yakho (ngaphandle kwentando yakho).
Bese ufakazela wonke umuntu ukuthi awunacala.
recipient_delimiter = +Abantu abaningi bangase bangazi, kodwa lolu uhlamvu olujwayelekile lokubeka ama-imeyili ezingeni, futhi lusekelwa amaseva amaningi e-imeyili esimanje.
Isibonelo, uma unebhokisi leposi "[i-imeyili ivikelwe]"zama ukuthumela ku"[i-imeyili ivikelwe]"- bheka ukuthi kwenzekani ngakho.
inet_protocols = ipv4Lokhu kungase kudide.
Kodwa akunjalo nje. Isizinda ngasinye esisha ngokuzenzakalela singu-IPv4 kuphela, bese ngivula i-IPv6 ngayinye ngokuhlukile.
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
Lapha sicacisa ukuthi wonke ama-imeyili angenayo aya ku-dovecot.
Futhi imithetho yesizinda, ibhokisi lemeyili, izibizo - bheka kusizindalwazi.
/etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_domains WHERE name='%s'/etc/postfix/mysql-virtual-mailbox-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT 1 FROM virtual_users WHERE email='%s'/etc/postfix/mysql-virtual-alias-maps.cf
user = usermail
password = mailpassword
hosts = 127.0.0.1
dbname = servermail
query = SELECT destination FROM virtual_aliases WHERE source='%s'# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yesManje i-postfix iyazi ukuthi i-imeyili ingamukelwa ukuze iphinde ithunyelwe kuphela ngemva kokugunyazwa ne-dovecot.
Angiqondi ngempela ukuthi kungani lokhu kuphindwa lapha. Sesivele siyibalulile yonke into edingekayo “ku-virtual_transport”.
Kepha uhlelo lwe-postfix ludala kakhulu - mhlawumbe luwukubuyisela emuva kusukela ezinsukwini zakudala.
smtpd_recipient_restrictions =
...
smtpd_helo_restrictions =
...
smtpd_client_restrictions =
...Lokhu kungalungiselelwa ngendlela ehlukile kuseva yemeyili ngayinye.
Nginamaseva ama-imeyili angu-3 onawo futhi lezi zilungiselelo zihluke kakhulu ngenxa yezidingo ezihlukene zokusetshenziswa.
Udinga ukukulungisa ngokucophelela - ngaphandle kwalokho ugaxekile uzogelezela kuwe, noma okubi nakakhulu - ugaxekile uzophuma kuwe.
# SPF
policyd-spf_time_limit = 3600Isethela i-plugin ethile ehlobene nokuhlola i-SPF yezinhlamvu ezingenayo.
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sockUkulungiselelwa ukuthi kufanele sinikeze isiginesha ye-DKIM ngawo wonke ama-imeyili aphumayo.
# IP address per domain
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcreLona imininingwane ebalulekile ekulawulweni kwezincwadi lapho uthumela izincwadi ezivela emibhalweni ye-PHP.
Ifayela “/etc/postfix/sdd_transport.pcre”:
/^[email protected]$/ domain1:
/^[email protected]$/ domain2:
/^[email protected]$/ domain3:
/@domain1.com$/ domain1:
/@domain2.com$/ domain2:
/@domain3.com$/ domain3:Kwesokunxele kunezinkulumo ezivamile. Kwesokudla kunelebula elimaka uhlamvu.
I-Postfix ngokuhambisana nelebula - izocabangela imigqa embalwa yokumisa yohlamvu oluthile.Ukuthi i-postfix izolungiselelwa kanjani kabusha ngohlamvu oluthile kuzoboniswa kokuthi “master.cf”.
Ulayini wesi-4, wesi-5, wesi-6 yiwona omqoka. Egameni lasiphi isizinda esithumela incwadi, sibeka le lebula.
Kodwa inkambu ethi "kusuka" ayiboniswa njalo emibhalweni ye-PHP kukhodi endala. Bese igama lomsebenzisi lisiza.Isihloko sesivele sibanzi - angifuni ukuphazanyiswa ngokusetha i-nginx+fpm.
Kafushane, kusayithi ngalinye sibeka umnikazi walo womsebenzisi we-linux. Futhi ngokufanele i-fpm-pool yakho.
I-Fpm-pool isebenzisa noma iyiphi inguqulo ye-php (kuhle uma kuseva efanayo ungasebenzisa izinguqulo ezihlukene ze-php ngisho ne-php.ini ehlukile kumasayithi angomakhelwane ngaphandle kwezinkinga).
Ngakho-ke, umsebenzisi we-linux othize "www-domain2" unesizinda sewebhusayithi2.com. Leli sayithi linekhodi yokuthumela ama-imeyili ngaphandle kokucacisa okuvela kunkambu.
Ngakho-ke, nakulokhu, izinhlamvu zizothunyelwa ngendlela efanele futhi azisoze zaphelela kugaxekile.
I-"/etc/postfix/master.cf" yami ibukeka kanje:
...
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
...
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1
domain2 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X5
-o smtp_helo_name=domain2.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:2:1:1
-o syslog_name=postfix-domain2
domain3 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X2
-o smtp_helo_name=domain3
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:5:1
-o syslog_name=postfix-domain3
Ifayela alinikezwanga ngokugcwele - selivele likhulu kakhulu.
Ngaphawula kuphela lokho okushintshiwe.
smtp inet n - y - - smtpd
-o content_filter=spamassassin
...
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}Lezi izilungiselelo ezihlobene ne-spamassasin, okuningi ngalokho kamuva.
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Sikuvumela ukuthi uxhume kuseva yemeyili ngembobo engu-587.
Ukuze wenze lokhu, kufanele ungene ngemvume.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spfNika amandla ukuhlola kwe-SPF.
apt-get install postfix-policyd-spf-pythonMasifake iphakheji yokuhlola kwe-SPF ngenhla.
domain1 unix - - n - - smtp
-o smtp_bind_address=XX.XX.XX.X1
-o smtp_helo_name=domain1.com
-o inet_protocols=all
-o smtp_bind_address6=XXXX:XXXX:XXXX:XXXX:1:1:1:1
-o syslog_name=postfix-domain1Futhi lena into ethakazelisa kakhulu. Leli yikhono lokuthumela izinhlamvu zesizinda esithile ukusuka ekhelini elithile le-IPv4/IPv6.
Lokhu kwenziwa ngenxa ye-rDNS. I-rDNS inqubo yokuthola iyunithi yezinhlamvu ngekheli le-IP.
Futhi ngemeyili, lesi sici sisetshenziselwa ukuqinisekisa ukuthi i-helo ifana ncamashi ne-rDNS yekheli lapho i-imeyili ithunyelwe khona.Uma i-helo ingafani nesizinda se-imeyili egameni labo incwadi ethunyelwe, amaphuzu ogaxekile anikezwa.
I-Helo ayifani ne-rDNS - kunikezwa amaphuzu amaningi ogaxekile.
Ngokufanelekile, isizinda ngasinye kufanele sibe nekheli laso le-IP.
Ku-OVH - kukhonsoli kungenzeka ukucacisa i-rDNS.
Ku-tech.ru - inkinga ixazululwa ngokusekelwa.
Ku-AWS, inkinga ixazululwa ngosekelo.
“inet_protocols” kanye “smtp_bind_address6” - sinika amandla usekelo lwe-IPv6.
Nge-IPv6 udinga futhi ukubhalisa i-rDNS.
“syslog_name” - futhi lokhu okokwenza kube lula ukufunda izingodo.
Thenga izitifiketi .
.
============== Dovecot ==============
apt-get install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-antispamUkusetha i-mysql, ukufaka amaphakheji ngokwawo.
Ifayela "/etc/dovecot/conf.d/10-auth.conf"
disable_plaintext_auth = yes
auth_mechanisms = plain loginUkugunyazwa kubethelwe kuphela.
Ifayela elithi “/etc/dovecot/conf.d/10-mail.conf”
mail_location = maildir:/var/mail/vhosts/%d/%nLapha sibonisa indawo yokugcina izinhlamvu.
Ngifuna agcinwe kumafayela futhi aqoqwe ngesizinda.
Ifayela "/etc/dovecot/conf.d/10-master.conf"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
address = XX.XX.XX.X1, XX.XX.XX.X2, XX.XX.XX.X5, [XXXX:XXXX:XXXX:XXXX:1:1:1:1], [XXXX:XXXX:XXXX:XXXX:1:2:1:1], [XXXX:XXXX:XXXX:XXXX:1:1:5:1]
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
service dict {
unix_listener dict {
}
}
Leli yifayela eliyinhloko lokucushwa kwe-dovecot.
Lapha sikhubaza ukuxhumana okungavikelekile.
Futhi unike amandla ukuxhumeka okuvikelekile.
Ifayela "/etc/dovecot/conf.d/10-ssl.conf"
ssl = required
ssl_cert = </etc/nginx/ssl/domain1.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain1.com.2018.key
local XX.XX.XX.X5 {
ssl_cert = </etc/nginx/ssl/domain2.com.2018.chained.crt
ssl_key = </etc/nginx/ssl/domain2.com.2018.key
}Isetha i-ssl. Sikhombisa ukuthi i-ssl iyadingeka.
Nesitifiketi ngokwaso. Futhi imininingwane ebalulekile iyisiqondiso "sendawo". Ikhombisa ukuthi yisiphi isitifiketi se-SSL ongasisebenzisa uma uxhumeka ku-IPv4 yendawo.Kodwa-ke, i-IPv6 ayilungiselelwe lapha, ngizokulungisa lokhu okushiywayo kamuva.
XX.XX.XX.X5 (isizinda2) - asikho isitifiketi. Ukuze uxhume amaklayenti udinga ukucacisa i-domain1.com.
XX.XX.XX.X2 (isizinda3) - kukhona isitifiketi, ungacacisa i-domain1.com noma i-domain3.com ukuze uxhume amakhasimende.
Ifayela "/etc/dovecot/conf.d/15-lda.conf"
protocol lda {
mail_plugins = $mail_plugins sieve
}Lokhu kuzodingeka ku-spamassassin esikhathini esizayo.
Ifayela "/etc/dovecot/conf.d/20-imap.conf"
protocol imap {
mail_plugins = $mail_plugins antispam
}Lena i-plugin ye-antispam. Iyadingeka ekuqeqesheni i-spamassasin ngesikhathi sokudluliselwa/kusuka kufolda ethi "Ugaxekile".
Ifayela "/etc/dovecot/conf.d/20-pop3.conf"
protocol pop3 {
}Kukhona ifayela elinjalo.
Ifayela elithi “/etc/dovecot/conf.d/20-lmtp.conf”
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = [email protected]
}Isetha i-lmtp.
Ifayela "/etc/dovecot/conf.d/90-antispam.conf"
plugin {
antispam_backend = pipe
antispam_trash = Trash;trash
antispam_spam = Junk;Spam;SPAM
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program = /usr/bin/sa-learn
antispam_pipe_program_args = --username=%Lu
}Izilungiselelo zokuqeqeshwa kwe-Spamassasin ngesikhathi sokudlulisela/kusuka kufolda Yogaxekile.
Ifayela "/etc/dovecot/conf.d/90-sieve.conf"
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_after = /var/lib/dovecot/sieve/default.sieve
}Ifayela elicacisa ukuthi yini okufanele yenziwe ngezinhlamvu ezingenayo.
Ifayela "/var/lib/dovecot/sieve/default.sieve"
require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto :create "Spam";
}Udinga ukuhlanganisa ifayela: “sievec default.sieve”.
Ifayela "/etc/dovecot/conf.d/auth-sql.conf.ext"
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
Icacisa amafayela e-sql ukuze agunyazwe.
Futhi ifayela ngokwalo lisetshenziswa njengendlela yokugunyazwa.
Ifayela "/etc/dovecot/dovecot-sql.conf.ext"
driver = mysql
connect = host=127.0.0.1 dbname=servermail user=usermail password=password
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';Lokhu kuhambisana nezilungiselelo ezifanayo ze-postfix.
Ifayela "/etc/dovecot/dovecot.conf"
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
!include_try local.conf
Ifayela lokumisa eliyinhloko.
Okubalulekile ukuthi sikhombise lapha - engeza amaphrothokholi.
============= SpamAssassin ==============
apt-get install spamassassin spamcMasifake amaphakheji.
adduser spamd --disabled-loginAke sengeze umsebenzisi esikhundleni sikabani.
systemctl enable spamassassin.serviceSivumela isevisi ye-spamassassin yokulayisha ngokuzenzakalelayo lapho ilayishwa.
Ifayela "/etc/default/spamassassin":
CRON=1Ngokuvumela ukubuyekezwa okuzenzakalelayo kwemithetho "ngokuzenzakalelayo".
Ifayela "/etc/spamassassin/local.cf":
report_safe 0
use_bayes 1
bayes_auto_learn 1
bayes_auto_expire 1
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:sa:localhost:3306
bayes_sql_username sa
bayes_sql_password passwordUdinga ukudala i-database ethi "sa" ku-mysql nomsebenzisi "sa" nephasiwedi "iphasiwedi" (shintshanisa ngokuthile okwanele).
report_safe - lokhu kuzothumela umbiko we-imeyili yogaxekile esikhundleni sencwadi.
use_bayes izilungiselelo zokufunda komshini we-spamassassin.
Izilungiselelo ezisele ze-spamassassin zisetshenziswe ekuqaleni kwesihloko.
.
.
.
.
============= Faka isikhalazo emphakathini ==============
Ngingathanda futhi ukuphonsa umbono emphakathini mayelana nendlela yokukhulisa izinga lokuvikeleka kwezincwadi ezidluliselwe phambili. Njengoba ngicwile kakhulu esihlokweni seposi.
Ukuze umsebenzisi akwazi ukudala ipheya lokhiye kuklayenti lakhe (outlook, thunderbird, browser-plugin, ...). Esidlangalaleni nangasese. Esidlangalaleni - thumela ku-DNS. Okuyimfihlo - yonga kuklayenti. Amaseva e-imeyili azokwazi ukusebenzisa ukhiye osesidlangalaleni ukuze athumele kumamukeli othile.
Futhi ukuze uvikele ugaxekile ngezinhlamvu ezinjalo (yebo, iseva yemeyili ngeke ikwazi ukubuka okuqukethwe) - uzodinga ukwethula imithetho emi-3:
- Isiginesha ye-DKIM yangempela eyisibopho, i-SPF eyisibopho, i-rDNS eyisibopho.
- Inethiwekhi ye-Neural esihlokweni sokuqeqeshwa kwe-antispam + database yayo ngasohlangothini lweklayenti.
- I-algorithm yokubethela kufanele ibe ngendlela yokuthi uhlangothi oluthumelayo kufanele lusebenzise amandla e-CPU aphindwe izikhathi ezingu-100 ekubetheleni kunohlangothi olutholayo.
Ngokungeziwe ezincwadini zomphakathi, sungula incwadi yesiphakamiso ejwayelekile "ukuqala ukuxhumana okuvikelekile." Omunye wabasebenzisi (ibhokisi leposi) uthumela incwadi enezinamathiselo kwelinye ibhokisi leposi. Incwadi iqukethe isiphakamiso sombhalo sokuqala isiteshi sokuxhumana esivikelekile sokuxhumana kanye nokhiye womphakathi womnikazi webhokisi leposi (nokhiye oyimfihlo ohlangothini lweklayenti).
Ungenza ngisho nokhiye abambalwa ngokubhalelana ngakunye. Umsebenzisi umamukeli angakwamukela lokhu okunikezwayo futhi athumele ukhiye wakhe osesidlangalaleni (futhi wenzelwe lokhu kuxhumana ngokuqondile). Okulandelayo, umsebenzisi wokuqala uthumela incwadi yokulawula isevisi (ebethelwe ngokhiye womphakathi womsebenzisi wesibili) - lapho ethola lapho umsebenzisi wesibili angabheka ukuthi isiteshi sokuxhumana esakhiwe sithembekile. Okulandelayo, umsebenzisi wesibili uthumela incwadi yokulawula - bese kuthi umsebenzisi wokuqala acabangele isiteshi esakhiwe njengesivikelekile.
Ukuze ulwe nokunqanyulwa kokhiye emgwaqeni, umthetho olandelwayo kufanele unikeze ithuba lokudlulisa okungenani ukhiye owodwa womphakathi usebenzisa i-flash drive.
Futhi okubaluleke kakhulu ukuthi konke kuyasebenza (umbuzo uthi "ngubani ozokhokha?"):
Faka izitifiketi zeposi eziqala ku-$10 iminyaka engu-3. Okuzovumela umthumeli ukuthi akhombise ku-dns ukuthi "okhiye bami basesidlangalaleni balapho." Futhi bazokunikeza ithuba lokuqala ukuxhumana okuphephile. Ngesikhathi esifanayo, ukwamukela ukuxhumana okunjalo kumahhala.
I-gmail ekugcineni yenza imali ngabasebenzisi bayo. Ngo-$10 ngeminyaka emi-3 - ilungelo lokudala iziteshi zezokuxhumana ezivikelekile.
============= Isiphetho =============
Ukuhlola yonke i-athikili, bengizoqasha iseva ezinikezele inyanga yonke futhi ngithenge isizinda ngesitifiketi se-SSL.
Kodwa izimo zempilo zathuthuka ngakho lolu daba lwadonsa izinyanga ezi-2.
Ngakho-ke, lapho ngiba nesikhathi esikhululekile futhi, nganquma ukushicilela indatshana njengoba injalo, kunokuba ngibeke engcupheni yokuthi le ncwadi izodonsa ngomunye unyaka.
Uma kunemibuzo eminingi efana nokuthi "kodwa lokhu akuchazwanga ngemininingwane eyanele", khona-ke kuzoba namandla okuthatha iseva ezinikele enesizinda esisha nesitifiketi esisha se-SSL bese uyichaza ngemininingwane eyengeziwe futhi, iningi. okubalulekile, thola yonke imininingwane ebalulekile engekho.
Ngingathanda futhi ukuthola impendulo ngemibono mayelana nezitifiketi zeposi. Uma uthanda umbono, ngizozama ukuthola amandla okubhala okusalungiswa kwe-rfc.
Uma ukopisha izingxenye ezinkulu ze-athikili, nikeza isixhumanisi kulesi sihloko.
Uma uhumushela kunoma yiluphi olunye ulimi, nikeza isixhumanisi kulesi sihloko.
Ngizozama ukulihumushela olimini lwesiNgisi mina ngokwami bese ngishiya izithenjwa.
Source: www.habr.com